Cyber Security
Conducting a detailed ‘Risk & Vulnerability Assessment’ may not sound exciting, however managing risks is basically what cyber security is all about.
You can spend endless amounts of money buying the best hardware and software although what really matters is how it’s all been configured, hardened, patched, and weather the data is backed up on a regular basis and tested too!
You also need to have adequate policies, processes, and detailed procedures in place to govern, identify, protect, detect, respond, and recover in the event of a successful data breach.
Our cyber assurance risk assessment process is the de facto Australian standard in assessing business risk, when reviewing business relationships with third party suppliers and threat actors.
Our Cyber Assurance Risk Rating (CARR) methodology is based on the following ‘Security Frameworks’ from around the world including:
- ISO / IEC 27001 … the international standard for managing information security
- The Centre for Internet Security (CIS) Controls
- The National Institute of Standards and Technology (NIST)
- The Control Objectives for Information and Related Technology (COBIT); and
- The Information Security Manual (ISM) … developed by the Australian Signals Directorate’s Australian Cyber Security Centre
The standard assessment addresses five (5) categories:
- IDENTIFY
- PROTECT
- DETECT
- RESPOND
- RECOVER
IDENTIFY
Identify is designed to review how organisations manage risks associated with the systems, data and capabilities that are included in their critical infrastructure. The Identify function represents the foundation for the CARR process.
PROTECT
Security stakeholders should look to reduce the impact of a possible cybersecurity event by leveraging best practices for data protection and overall security. Protect calls for organisations and their teams to develop and implement the appropriate safeguards to ensure continuous delivery of critical infrastructure services.
DETECT
Detect is the development and implementation of activities “to identify the occurrence of a potential cybersecurity event,” with a focus on supporting the timely discovery of such events.
RESPOND
The purpose of the respond function is to establish and put in place the necessary procedures that enable stakeholders “to take action regarding a detected cybersecurity event.”
Every threat that is detected needs to be contained and the damage mitigated or eliminated!
RECOVER
The final step revolves around recovery. The Recover function includes developing and putting procedures in place for resilience, as well as to “restore any capabilities or services that were impaired due to the cybersecurity event.”
Review Findings / Recommendations
Our review will generate a score based on each of the five categories – identify, protect, detect, respond and recover, as well as an overall score.
A score of 500 or less for any category would be considered a poor result while a score of between 800 and 1,000 being deemed exceptional.
In addition to a high-level executive summary of the assessment outcomes, each review also includes practical remediation steps that can be implemented in the short-term.
Actioning these important steps will enhance your business’s ability to withstand cyber incidents moving forward.
Policy Templates
As part of the standard risk & vulnerability assessment, we will also supply the necessary industry compliant cyber security templates at no additional charge including:
- Policies and Procedures
- Incident Response Plans
- Risk Management
- Third-Party supplier reviews
These templates are essential for fulfilling an organisations / director’s regulatory obligations and ensuring robust cyber security measures.
Benefits
Organisations who complete the CARR review program will gain a comprehensive understanding of their cyber risk profile, maturity level, and capabilities to effectively manage cyber incidents.
This empowers them to formulate a strategic plan, allocate the necessary resources, and provide added assurance to stakeholders, including suppliers and clients that their mission critical and / or sensitive data and information is secure.